Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems
Copyright © 2014 Pearson Education, Inc. 2 Chapter 10 Learning Objectives Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.
Copyright © 2014 Pearson Education, Inc. 3 Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.
Copyright © 2014 Pearson Education, Inc. 4 What Is Computer Crime? “Using a computer to commit an illegal act” Targeting a computer while committing an offense – Unauthorized access of a server to destroy data Using a computer to commit an offense – Using a computer to embezzle funds Using computers to support a criminal activity – Maintaining books for illegal gambling on a computer
Copyright © 2014 Pearson Education, Inc. 5 Hacking and Cracking Hackers – Anyone with enough knowledge to gain unauthorized access to computers – Hackers who aren’t crackers don’t damage or steal information belonging to others Crackers – Individuals who break into computer systems with the intent to commit crime or do damage – Hacktivists: Crackers who are motivated by political or ideological goal and who use Cracking to promote their interests
Copyright © 2014 Pearson Education, Inc. 6 Types of Computer Crimes Unauthorized Access – Stealing information – Stealing use of computer resources – Accessing systems with the intent to commit Information Modification Information Modification – Changing data for financial gain (e.g.: embezzlement) – Defacing a Web site (e.g.: hactivists making a statement)
Copyright © 2014 Pearson Education, Inc. 7 Computer Viruses and Other Destructive Code: Spyware, Spam, and Cookies Spyware, Spam, and Cookies – Spyware: software that monitors the activity on a computer, such as the Web sites visible or even the keystrokes of the user – Spam: Bulk unsolicited sent to millions of users at extremely low cost, typically seeking to sell a product, distribute malware, or conduct a phishing attack – Cookies: A small file Web sites place on user’s computer. Can be legitimate (to capture items in a shopping cart) but can be abused (to track individuals browsing habits) and can contain sensitive information (like credit card numbers) and pose a security risk
Copyright © 2014 Pearson Education, Inc. 8 Cyberharassment, Cyberstalking, and Cyberbullying Cyberharassment – Use of a computer to communicate obscene, vulgar, or threatening content that causes a reasonable person to endure distress Cyberstalking – Tracking an individual, performing harassing acts not otherwise covered by Cyberharassment, or inciting others to perform harassing acts CyberBullying – Deliberately causing emotional distress All three are closely related, a Cyberstalker may be committing Cyberharassment and Cyberbullying
Copyright © 2014 Pearson Education, Inc. 9 Information Systems Security Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.
Copyright © 2014 Pearson Education, Inc. 10 Safeguarding IS Resources Risk Reduction – Actively installing countermeasures Risk Acceptance – Accepting any losses that occur Risk Transference – Insurance – Outsourcing
Copyright © 2014 Pearson Education, Inc. 11 Technological Safeguards: Encryption
Copyright © 2014 Pearson Education, Inc. 12 Technological Safeguards: Virus monitoring and prevention Standard precautions – Purchase, install, and maintain antivirus software – Do not use flash drives or shareware from unknown or suspect sources – Use reputable sources when downloading material from the Internet – Delete without opening any message received from an unknown source – Do not blindly open attachments, even if they come from a known source – If your computer system contracts a virus, report it
Copyright © 2014 Pearson Education, Inc. 13 Technological Safeguards: Audit-control software All computer activity can be logged and recorded Audit-control software keeps track of computer activity Only protects security if results are monitored
Copyright © 2014 Pearson Education, Inc. 14 Technological Safeguards: Secure data centers - Ensuring Availability
Copyright © 2014 Pearson Education, Inc. 15 Technological Safeguards: Secure data centers Securing the facilities infrastructure – Backups – Backup Sites – Redundant Data Centers – Closed-Circuit Television – Uninterruptible Power Supply
Copyright © 2014 Pearson Education, Inc. 16 Human Safeguards
Copyright © 2014 Pearson Education, Inc. 17 Computer Forensics Formally evaluating digital information for judicial review – Examining the computers of crime victims for evidence – Examining the computers of criminals for evidence – Auditing computer activity logs – Restoring “deleted” computer data
Copyright © 2014 Pearson Education, Inc. 18 Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Computer Crime Define computer crime and describe several types of computer crime. Cyberwar and Cyberterrorism Describe and explain the differences between cyberwar and cyberterrorism. Information Systems Security Explain what is meant by the term “IS security” and describe both technology and human based safeguards for information systems. Managing IS Security Discuss how to better manage IS security and explain the process of developing an IS security plan. Information Systems Controls, Auditing, and the Sarbanes-Oxley Act Describe how organizations can establish IS controls to better ensure IS security.
Copyright © 2014 Pearson Education, Inc. 19 Information System Controls: Hierarchy
Copyright © 2014 Pearson Education, Inc. 20 Information System Controls Preventive controls – Prevent events from occurring (e.g., block unauthorized access) Detective controls – Determine if anything has gone wrong (e.g., detect that an unauthorized access has occurred) Corrective controls – Mitigate problems after they arise
Copyright © 2014 Pearson Education, Inc. 21 END OF CHAPTER CONTENT
Copyright © 2014 Pearson Education, Inc. 22